pocs/firefox at main · v12-security/pocs · GitHub

//files/disambiguate" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//files/disambiguate;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

v12-security

pocs

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>129

Star<br>757

FilesExpand file tree

main

/firefox<br>Copy path

Directory actions

More options<br>More options

Directory actions

More options<br>More options

Latest commit

History<br>History<br>History

main

/firefox

Top

Folders and files<br>NameNameLast commit message<br>Last commit date<br>parent directory<br>..<br>README.md

README.md

poc.php

poc.php

View all files

README.md<br>Outline<br>FirefUXSS: Universal XSS in Firefox Focus for iOS via Redirect-Scheme Validation Race Condition

FirefUXSS was discovered with V12 by @RenwaX23 of the V12 security team.

Want to find issues like this in your own code? Try V12 at v12.sh.

Status: 0-day, responsibly disclosed. After remaining unpatched for 11 months, we are now releasing our PoC (see Timeline below).

0608-noaudio.mp4

Proof of Concept

A simplified PoC (poc.php) is included in this repository. It demonstrates script execution against google.com, youtube.com, x.com, and reddit.com.

A live demo is available at https://firefoxuxss.v12.sh .

Responsible disclosure note: We are deliberately not publishing the full weaponized PoC shown in the video--the one capable of account takeover on X, Google, and Reddit--to limit the potential for abuse while the vulnerability remains unpatched.

Summary

Firefox Focus for iOS contains a Universal Cross-Site Scripting (UXSS) vulnerability that allows an attacker to execute arbitrary JavaScript in the security context of effectively any web origin the victim can be steered through. By winning a race condition in the browser's redirect-scheme validation logic, an attacker can smuggle a javascript: (or other dangerous-scheme) navigation past the filter that is supposed to block it, causing the script to run with the origin of the previously loaded document rather than being neutralized.

In practice this means a single click on an attacker-controlled link can result in script execution on high-value origins such as google.com, youtube.com, x.com, or reddit.com — enabling session theft, account takeover, and arbitrary actions on behalf of the victim.

This was reported to Mozilla and remains unpatched. See the Timeline for the full disclosure history.

Background

Every modern browser refuses to follow server-side redirects (an HTTP Location: response header) that point at a dangerous URI scheme such as javascript:, data:, or file:. If a server responds with:

HTTP/1.1 302 Found<br>Location: javascript:alert(document.domain)

a conformant browser will not execute the script — the navigation is dropped or treated inertly, precisely to prevent the exact class of attack described here.

The expected guarantee is: a redirect target's scheme is validated before the navigation is committed , and dangerous schemes are rejected.

Root Cause

Firefox Focus for iOS performs this scheme check, but the check is not atomic with respect to the navigation it guards — it is a classic time-of-check-to-time-of-use (TOCTOU) race.

Under normal load the validator rejects javascript: redirect targets correctly. However, when the redirect-handling path is flooded with a rapid burst of ordinary HTTP→HTTP redirects, the validator can be made to fall behind the navigation pipeline. By timing a final javascript: redirect to land inside this window, the dangerous-scheme check is effectively bypassed: the navigation is committed before (or instead of) being rejected.

Crucially, when the smuggled javascript: navigation does execute, it runs inheriting the origin of the document that was being replaced , rather than as a fresh, origin-less navigation. That origin inheritance is what turns a same-page script execution into a universal XSS — the script runs as google.com, x.com, etc.

The _self requirement

The exploit only succeeds when the malicious page is loaded into the _self browsing context (i.e., navigating the current top-level document in place), not into a new window/tab.

Firefox Focus is a single-window browser with...